Today’s digital economy is heavily driven by the ability to seamlessly transfer enormous volumes of data around the world. However, the subsequent risks the technologies that enable these transfers create have led many countries to introduce laws to safeguard personal data. CNME examines how Middle East enterprises should approach data management across borders.
Regulators have for a long time been aware of the risks associated with collecting and storing large volumes of personal data, which is feared of being lost or stolen. In efforts to address such risks, many regulators have introduced extensive laws designed to protect such sensitive data.
Nobody can underestimate the importance of data protection, but the efforts to address this issue only leads to further headaches for enterprises –how to transfer data across borders where laws in one country may be completely different to the other.
“When you compare the various data protection laws that exist around the world, the one common trait is that there is no overall consistency,” says Paul Allen, head of intellectual property and technology for the Middle East at global law firm DLA Piper.
“For instance, in the UAE (excluding the Dubai International Financial Centre) there is no comprehensive law dealing with the protection of personal information. Instead, like other countries within the Middle East, various local laws offer some protection of privacy and personal data,” he adds.
Allen contrasts the UAE and Middle East with the EU, which is often considered to be at the forefront of data protection regulation.
“In the EU, extensive data protection regulations govern the collection, storage, handling and management of personal data. Arguably, it’s the disparity between regulatory regimes that cases the biggest problems for businesses as they struggle to stay on top of the differing compliance regimes,” Allen says.
Implications
One significant implication of transferring data across border is the possibility of the data protection laws of one country being applicable to an organisation simply because it transferred personal data to the relevant country for processing.
“If a company based in the UAE transfers personal data to, for example, the UK for processing, it is possible it would be subject to the provisions of the UK’s Data Protection Act 1998, a law with stiff penalties for those that offend against it. It is therefore essential for any organisation transferring or receiving personal data across borders to ask itself whether it must comply with any laws either in the country of origin or receipt,” Allen says.
Storing, accessing and leveraging business critical data will remain a strategic imperative for organisations of all sizes across the world, according to Aman Munglani, research director at Gartner.
He believes that many organisations do have an effective policy for data storage, information management, and backup and recovery, but that the biggest challenges come when the data centre a company uses is located outside the country.
“The major issues companies are most concerned about are security of data, remediation of services in case of a disaster, meeting the requirements of compliance laws, and data encryption and retention requirements,” Munglani says.
He adds, however, that compliance laws are in fact a driver for investments in technology within the Middle East, but its fast-changing regulatory environment is leading to companies having to change their infrastructure.
“Compliance requirements relating to data are getting a lot more strict and the net impact is such that companies are having to revisit their data management policies and reinvest in replacing infrastructure on a need be basis to meet the new laws and governance procedures,” Munglani says.
Data management across borders can especially become an issue when an organisation in the Middle East wishes to put data in a public cloud.
“If personal data is placed in the public cloud, that data may be stored on servers in one or several countries. Practically, this raises issues as to which jurisdiction’s data protection regime will apply,” Allen says.
Munglani adds: “The cloud service provider needs to have the proper security policies to ensure that the data stored within its premises is not infringed with. Companies should monitor all relevant laws and regulations applicable to their specific industry and work with the service provider to ensure that all the necessary laws are being adhered to.”
Recommendations
Allen recommends that organisations concerned about data protection issues should speak to a professional advisor.
“It may be that their issue can be dealt with simply and without the need to be concerned by data protection laws of other countries. On the other hand, it may be that significant steps must be taken to ensure compliance. A professional data protection advisor will be able to help determine what course of action is best in the circumstances,” he says.
He adds that if an organisation is required to comply with one or more extensive data protection regimes, it is probably best to carry out an information handling assessment.
“Through this assessment the personal data collected by the organisation is identified, along with all relevant details regarding the storage, use and management of that data, including the countries where the data is collected, stored, transferred and processed,” Allen says.
“Once this information is known, a compliance programme can be devised which takes into account the commonalities and differences between all applicable laws so as to create a programme that is as efficient and easy to manage as possible,” he adds.
Munglani suggests organisations should look at technologies that allow them to scale up their requirements as business grows.
“That way they don’t have to look at expensive upgrades to the infrastructure every time a rule change necessitates. Also, they should understand the impact of emerging technologies such as cloud computing and loop that into their data governance plans,” he says.
“I think governments across the world are getting a lot more stringent as regards data policies, both with personal data and with corporate data, so it’s important for organisations to stay on top on this,” he adds.
